Share this story

Hackers compromised a download server for a popular media-encoding software named HandBrake and used it to push stealthy malware that stole victims' password keychains, password vaults, and possibly the master credentials that decrypted them, security researchers said Monday.

Over a four-day period ending Saturday, a download mirror located at download.handbrake.fr delivered a version of the DVD ripping and video conversion software that contained a backdoor known as Proton, HandBrake developers warned over the weekend. At the time that the malware was being distributed to unsuspecting Mac users, none of the 55 most widely used antivirus services detected it. That's according to researcher Patrick Wardle, who reported results here and here from the VirusTotal file-scanning service. When the malicious download was opened, it directed users to enter their Mac administrator password, which was then uploaded in plain text to a server controlled by the attackers. Once installed, the malware sent a variety of sensitive user files to the same server.

These files contain a number of bits of data to be exfiltrated from the machine, such as browser data (including stored form auto-fill data), keychains, and even 1Password vaults. Since the user’s password was phished previously, that can be used to unlock the keychains, and either it or other passwords found in the keychain may be able to unlock other encrypted files. (Pro tip: never store the master password for your password manager in the keychain, and make sure it’s a unique, strong password!)

HandBrake maintainers said the hacked mirror site was one of two servers used to distribute the app. Because the other site wasn't compromised, people who downloaded the app from May 2 to May 6 had a 50-50 chance of obtaining the malicious version. People who had HandBrake version 0.10.5 or earlier installed on their Mac may also have been infected because those versions didn't use cryptographic signing to verify the authenticity of downloaded updates. Versions 1.0 and later weren't susceptible. Anyone who has installed HandBrake and sees a process named "activity_agent" in the OSX Activity Monitor is infected. Another way to detect compromised Macs, according to Cybereason researcher Amit Serper: Proton stores stolen data in a file called proton.zip that's saved in ~/Library/VideoFrameworks.

To be on the safe side...

Anyone who has installed version 1.0.7 should check the SHA1 checksum of the installation file. Readers can check this sum by opening the Mac terminal, typing "shasum /path/to/HandBrake-1.0.7.dmg" where "path/to" is the folder location where the installation file is found. (People can also type "shasum" in the Terminal and then drag the installation file into the Terminal window.) If the sum that's returned is "0935a43ca90c6c419a49e4f8f1d75e68cd70b274," the file is malicious. Anyone who installed the malware should take action as soon as possible. To disinfect a Mac, remove the Launch Agent plist file fr.handbrake.activity_agent.plist, and the activity_agent.app file located in ~/Library/RenderFiles/. Then reboot the machine. Once the Mac is disinfected, users should change all passwords.

Proton is a full-featured, professionally developed Mac malware that sells for as much as $63,000 on dark-Web crime forums. It's a general-purpose backdoor that offers a range of features, including keylogging, remote login access, the ability to take and upload webcam and screenshot videos and images, and the ability to steal stored files. An earlier version of Proton shipped with a valid code-signing signature that Apple uses to certify the trustworthiness of third-party software, according to this analysis from security firm Sixgill. Earlier this year, Apple developers updated macOS to automatically detect that version, Reed said.

Malwarebytes' Reed said that both Transmission and HandBrake were originally developed by Eric Petit. Reed wrote, "Though I don't know if it means anything at all, it's certainly a fair question to wonder who has access to both of these projects that could be abused in this manner."